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Abstract 

The finite satisfiability problem for guarded fixpoint logic is decid- 
able and complete for 2ExpTime (resp. ExpTime for formulas of bounded 
width). 
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1 Introduction 

The guarded fragment (GF) is a robustly decidable syntactic fragment of first- 
order logic possessing many favourable model theoretic traits, such as the finite 
model property [5] . The guarded fragment has received much attention since its 
conception thirteen years ago |T] and has since seen a number of variants and 
extensions adopted in diverse fields of computer science. One of the most pow- 
erful extensions to date, guarded fixpoint logic (/iGF) was introduced by Gradel 
and Walukiewicz in [5] , who showed that the satisfiability problem of guarded 
fixpoint logic is computationally no more complex than for the guarded frag- 
ment: 2ExpTiME-complete in general and ExpTiME-complete for formulas of 
bounded width. Guarded fixpoint logic extends the modal /x-calculus with back- 
ward modalities, hence it does not have the finite model property. Therefore, 
there is a finite satisfiability decision problem: to determine whether a formula 
has a finite model. Gradel and Walukiewicz left the decidability of this problem 
open. Here we claim this inheritance. 

Main Theorem 1. It is decidable whether or not a given guarded fixpoint 
sentence is finitely satisfiable. The problem is 2ExpTime- complete in general, 
and HxpTlME-complete for formulas of bounded width. 

As noted above the stated hardness results already hold for the guarded 
fragment [5]. The proof of the upper bounds combines three ingredients: 



'Authors were supported by ERC Starting Grant "Sosna". 



1 



i. the tight connection between (iGF and alternating automata [5J; 

ii. decidability of emptiness of alternating automata over finite graphs [SJ; 

iii. a recent development in the finite model theory of guarded logics [2]. 

In what follows, no intricate knowledge of either [3] or [2] is required, the results 
of these papers are used as black boxes: i. & ii. provide the algorithm and the 
construction of iii. proves its correctness. The stated time complexity results 
from combining those of i. (Theorem [3J below) and ii. (Theorem [2]). 

Outline of the paper Guarded fixpoint logic and related notions are intro- 
duced in Section [21 In Section [3J we define alternating automata on undirected 
graphs, and state the result of [5J . Section 2] establishes the connection be- 
tween guarded fixpoint logic and alternating automata along the lines of [BJ . In 
Section [5j we present the algorithm and prove its correctness using [2]. 

2 Guarded Fixpoint Logic 

The guarded fragment of first-order logic comprises only formulas with a re- 
stricted pattern of "guarded quantification" and otherwise inherits the seman- 
tics of first-order logic. Guarded quantification takes the form 

By {R(xy) A <p(xy)) or ; dually, Vy {R(xy) -> ip(xy)) 

where R(xy) is a positive literal acting as a guard by effectively restricting the 
variables x to range only over those tuples occurring in the appropriate positions 
in the atomic relation R. Here it is meant that xy include all free variables of 
(p in no particular order. A guarded set of elements of a relational structure 
21 is a set whose members occur among the components of a single relational 
atom R(a) of 21. Guarded quantification can be understood as a generalisation of 
polyadic modalities of modal logic. Indeed, the guarded fragment was conceived 
precisely with this analogy in mind pQ, therefore it is no coincidence that the 
model theory of the guarded fragment bears such a strong resemblance to that 
of modal logic [7]. 

Guarded fixpoint logic is obtained by extending the guarded fragment of 
first-order logic with least and greatest fixpoint constructs. Its syntax can be 
defined by the following scheme 

ip ::= R{x) | ipAy' \ -*p | By ( R{xy) A ip"{xy) ) | 

Z(z) | [LFP Z,z.tp"'(Z,z)](x) | [GFP Z,z.<p"'[Z,z)](x) 

where R is an arbitrary atomic relation symbol, Z is a second-order fixpoint 
variable, where all free first-order variables of ip"(xy) and ip"'(Z,z) are among 
those indicated, and ip"'(Z,z) is required to be positive in Z. The semantics 
is standard: the least (or greatest) fixpoint of a formula <p"'(Z,z) on a given 
structure is the wrt. set inclusion least (resp. greatest) relation S satisfying 
S(a) f-> Lp"'{S 1 a) for all a on the structure. Crucially, fixpoint variables and 
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fixpoint formulas are not allowed to stand as guard in a guarded quantification, 
only atomic relation symbols may act as guards. Furthermore, within sentences 
it can be assumed wlog. that in the matrix ip"'(Z, z) of a fixpoint formula the 
tuple of free variables z is explicitly guarded [6 . 

Guarded fixpoint logic naturally extends the modal ^-calculus with backward 
modalities. As such it can axiomatise (the necessarily infinite) well-founded 
directed acyclic graphs having no sink nodes, e.g. as follows. 

3xy E(x, y) A ~ixy (e(x, y) -> [ LFP Z, z . VvE(v, z) -> Z(v) } (x) A 3wE(y, w)j 

Guarded bisimulation Guarded logics possess a very appealing model the- 
ory in which guarded bisimulation plays a similarly central role as does bisimu- 
lation for modal logics. A guarded bisimulation [HE] between two structures 2lo 
and 2ti of the same relational signature is a family Z of partial isomorphisms 
a : A — > Ax with Ai C 2lj, satisfying the following back-and- forth conditions, 
(i) For every a : A — > A\ in Z and every guarded subset B of 2lo there is a par- 
tial isomorphism 7 : Co — > C\ in Z with Bq C Co and a|A nc = 7U nc - (ii) 
For every a : Aq —> A\ in Z and every guarded subset B\ of 2ti there is a partial 
isomorphism 7 : Co — > C\ in Z with B\ C C\ and a~~ 1 \A 1 nc 1 — 1" U x nCi' We 
write 2lo, a ~ g 2li, b to signify that there is a guarded bisimulation Z between 
2to and 2li with (a h-> 6) 6 Z and say that a of 2to and & of 2li are guarded 
bisimilar. 

Guarded bisimilarity is an equivalence relation on the set of guarded tuples 
of any relational structure, and guarded fixpoint formulas are invariant under 
guarded bisimulation [7]: if 21, a ~ g 25, b then for every guarded fixpoint formula 
(p it holds that 21 (= f{a) iff 55 |= 99(6) . The guarded fragment has been 
characterised as the guarded-bisimulation-invariant fragment of first-order logic, 
most recently even in the context of finite structures 0. Similarly, guarded 
fixpoint logic is characterised as the guarded-bisimulation-invariant fragment of 
guarded second-order logic [7]. 

3 Alternating two-way automata 

In this section, we introduce alternating automata on undirected graphs. A 
similar model, namely alternating two-way automata on infinite trees, was used 
by Gradel and Walukiewicz [6] in their decision procedure for satisfiability of 
guarded fixpoint logic. They reduced satisfiabilty to the emptiness problem for 
alternating two-way automata on infinite trees. The latter problem was shown 
to be decidable by Vardi [5]. 

In [9l [3j [4] a two-way automaton navigating an infinite tree has the choice of 
moving its head either to the parent or to a child node, or staying in its current 
location. In this paper, instead of automata on directed trees, we consider 
automata on undirected graphs. In an undirected graph, the automaton can 
only choose to stay in place or to move to a neighboring vertex. This is in the 
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spirit of [5J, where automata on directed trees were employed, which did not 
actually distinguish between parent and child nodes. 

An alternating automaton on undirected graphs is defined by: an input al- 
phabet E, a set of states Q, a partition Q = Qy U Qg, an initial state qj, a 
ranking function : Q — > N for the parity acceptance condition, and a transi- 
tion relation 

RQxEx {stay, move} x Q . 

An input to the automaton is an undirected graph whose nodes are labelled by 
S, and a designated node vq of the graph. The automaton accepts an input 
graph G from an initial node vq if player 3 wins the parity game defined below. 

The arena of the parity game consists of pairs of the form (v,q), where v 
is a node of G, and q is a state of the automaton. The initial position in the 
arena is (vo,qi). The rank of a position (v,q), as used by the parity condition, 
is Cl(q). Let u be a node of the input graph, and let a £ £ be its label. In the 
arena of the game, there is an edge from (u,q) to (w,p) if: 

• there is a transition (q, a, stay,p) and u — w; or 

• there is a transition (q, a, move,p) and {u, w} G E(G). 

Some alternating automata on undirected graphs accept only infinite graphs. 
(Given a 3-coloring of a graph by {0, 1, 2}, edges can be directed so that 'target 
color' — 'source color' = 1 mod 3. An automaton can verify 3-coloring and well- 
foundedness of the induced digraph and check for an infinite forward path.) 
Therefore, it makes sense to ask: does a given automaton accept some finite 
graph? This problem was shown decidable in [3J 0] . 

Theorem 2 ([3JH]). Given a alternating automaton on undirected graphs it is 
decidable in exponential time in the number of states of the automaton, whether 
or not it accepts some finite graph. 

Formally, [3l [4] considered two-way automata on directed graphs with the 
automaton having transitions corresponding to: staying in the same node, mov- 
ing forward along an edge, and moving backward along an edge. Clearly, the 
two-way model is more general than the one for undirected graphs. 

Undirected bisimulation We write nodes(G) for the nodes of a graph G. 
Consider two undirected graphs Go and G\, with node labels. An undirected 
bisimulation is a set 

Z C nodes(Go) x nodes(Gi) 

with the following properties. If (vo,v\) belongs to Z, then the node labels of 
1*0 and v\ are the same. Also, for any i £ {0, 1} and node Wi connected to u,; 
by an edge, there exits a node w\-i connected to v\-i by an edge and such 
that (w ,wi) £ Z. We say that node w of a graph Go is bisimilar to node 
v\ in a graph G\ if there is an undirected bisimulation that contains the pair 
(vo, vi). In this case, for every alternating automaton on undirected graphs, the 
automaton accepts Go from v$ if and only if it accepts G\ from v± . 
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Undirected unraveling Consider an undirected graph G and v a node of G. 
The undirected unraveling of G from v is the graph T, whose nodes are paths 
in G that begin in v, and edges are placed between a path and the same path 
without the last node. The undirected unraveling is a tree. We write 

7r : nodes(T) — > nodes(G) 

for the function that maps a path to its terminal node. If G has node labels, 
then one labels the nodes of T according to their images under it. Then, the 
graph of 7r is an undirected bisimulation between T and G. 

4 Tabloids 

Below we work with undirected graphs representing templates of relational 
structures. We call them tabloids alluding to their semblance to the tableaux 
of [BJ. Tabloids are also reminiscent of the 'guarded bisimulation invariants' 
of [2J. Intuitively, vertices of a tabloid represent templates for guarded sub- 
structures and edges signify their overlap. The precise manner of overlap is 
implicitly coded by repeated use of constant names appearing in vertex labels. 
By contrast, [2j [7] code overlaps explicitly as edge labels. 

Tabloid Fix a relational signature E and a set K of constant names. A tabloid 
over signature E and constants K is an undirected graph, where every node v 
is equipped with two labels: a set K v C K, called the constants of v, and an 
atomic E-type t v over K v , called the type of v. If nodes v and w are connected by 
an edge in the graph, then the types t v and r w should agree over the constants 
from K v n K w . 

A structure from a tree tabloid Consider a tabloid T whose underlying 
graph is a tree. We define a E-structure 2t(T) as follows. The universe of 2l(T) 
is built using pairs (u, c), where v is a vertex of T and c is a constant of v. The 
universe consists not of these pairs, but of their equivalence classes under the 
following equivalence relation: (v, c) and {v',d) are equivalent if c = d and c 
occurs in the label of every node on the undirected path connecting v and v' in 
T. The path is unique, because the underlying graph is a tree. We write [v,c] 
for an equivalence class of such a pair. A tuple ([vi, c\], . . . , [i> n ,c n ]) satisfies a 
relation R 6 E in St(T) if there is some node v such that 

[v,Cl] = [Vl,ci], . . . , [v,C n ] = [V n , C„] (1) 

and R(c\, . . . , c n ) is implied by t v . Because T is a tree, this definition does not 
depend on the choice of v, since the set of nodes v satisfying ([T]) is connected. 
It is, however, unclear how to extend this construction to cyclic tabloids. 
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Labelling with a formula Consider a tree tabloid T over constants K and 
signature E. Let p be a formula over E. Consider a node v of T with constants 
ifu, a subformula "0 01 fi and a function 77 that maps free variables of ip to 
constants in K v . For v and 77, define a valuation [77],,, which maps free variables 
of ip to elements of the structure 2l(T), by setting [77] „ (x) = [v, T](x)] . 

The p-type of the node u is the set of pairs (ip, 77) such that ip is a subformula 
of tp or a literal in the signature of ip, and such that ip is valid in 2l(T) under 
the valuation [77] „. Thus each p-type determines a unique atomic type. The set 
of ip-types is finite and depends on K and ip alone, call this set T Vi k- Given 
a tree tabloid T and p, we define T v to be the tree with the same nodes and 
edges as T, but where every node is labelled by its <^-type. 

Recall that the width of a formula is the maximal number of free variables 
in any of its subformulas. The following was established in [6]. 

Theorem 3 ([5]). Let p be a guarded fixpoint sentence of width n and let K 
be a set of In constants. One can compute an alternating automaton A v on 
r 'ip,K -labelled undirected graphs, such that A v accepts a tree T if and only if 

T is of the form T v for a tree tabloid T such that 2l(T) (= p . 

The number of states of A v , and the time to compute it, are 0(\p\ ■ exp(n)) . 

5 Algorithm for finite satisfiability 

We now propose the algorithm for finite satisfiability of guarded fixpoint logic. 
Given a formula tp, we compute the automaton A v using Theorem [3] Then, 
we test if the automaton A v accepts some finite graph, using Theorem [2] The 
combined running time clearly meets the claim of Theorem [T] This section is 
devoted to proving the correctness of this procedure. 

Proposition 4. A formula p of guarded fixpoint logic has a finite model if, and 
only if, the associated automaton A v accepts a finite graph. 

5.1 Prom a finite accepted graph to a finite model 

First we prove that if the automaton A v accepts a finite graph G v , then tp is 
satisfied in some finite structure. By Theorem [31 the undirected unravelling 
of Gip, equally accepted by A v , takes the form T v for a tree tabloid T such 
that 2t(T) |= p. In fact, T is the undirected unravelling of the finite tabloid G 
obtained from G v by restricting its labels to atomic types. 

Lemma 5. Let G be a finite tabloid and T its undirected unraveling. Then 
has finite index on the set of guarded tuples o/2t(T). 

Proof. All guarded subsets of 2l(T) are of the form {[v, c\\, . . . , [v,c r ]} where 
C\, . . . ,0? G K are constant names appearing in the label of v 6 nodes(X'). Let 
7r : nodes(T) — > nodes(G) be the natural projection from T onto G. Then 
(T,v) = (T,w) whenever n(v) — tt(w), so it suffices to show the following. 
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Claim 6. a(T), ([«,<*],...,[«,<*.]) ~ g 2t(T), ([«, a], . . . , [w, c r }) 

for every v and w such that (T, v) = (T, it)) and {ci, . . . , c r } = = K w . 

Let for each v and u> as in the claim a VtW be the partial function mapping 
[v, c] i — ^ [id, c] for all c £ -ftTt,. By definition of 2t(T) we have that each 
partial isomorphism among guarded subsets of 2t(T). We will show that 

Z= {«„ | (7» S (!»} 

is a guarded bisimulation. Take any a ViW £ Z and guarded subset B of 2t(T). 
Then B = {[u,di], . . . ,[u,d s ]} for some u £ nodes(T) and constant names 
D = {di, . . . ,d s } C Because (T, w) = (T,w) there is a y £ nodes(T) 

such that (T,v,u) = (T,w,y). In particular, B C dom(a u ,j,), and the paths 
connecting v with u and w with ?/ are isomorphic. We thus have for every i < r 
and j < s that [w, c^] = [u, dj] iff = dj and Cj £ K z for every node z on 
the path connecting v and u (equivalently, on the path connecting w and y) iff 
[w, Ci] = [y, dj] . Therefore, a UyV and a v ^ w agree on dom(a ttiJ/ ) ndom(a^„,), and 
a~y and agree on rng(a Uj j ) ) n rng(o; t , )!1 ,). This shows that Z satisfies the 
'forth property' and, by symmery, also the 'back property', as needed. □ 

Note that, in stark contrast to bisimulation on graphs, there is no appar- 
ent way of defining a quotient 2l(T) / ~ g . Nevertheless, we can obtain a finite 
structure guarded bisimilar to 2l(T) using the following result. 

Theorem 7 ([2] Theorem 6], cf. also [8]). Every relational structure on which 
~ g has finite index is guarded bisimilar to a finite structure. 

5.2 Prom a finite model to a finite accepted graph 

Next we prove that if (p has a finite model then A v of Theorem [3] accepts some 
finite graph. Recall that all graphs accepted by A v are labelled by 93-types from 
r y ,if, where if is a set of 2n constants, with n the width of ip. So let 21 be a 
finite model of (p. Wlog. all guarded subsets of 21 are of size at most n (as ip is 
oblivious to relational atoms with more than n distinct components, these can 
be safely removed from 21). 

We define a finite tabloid G as follows. Vertices of G are injections \ : A — > 
K, where A is a guarded subset of 21. For each vertex \ its set of constants is 
K x = rng(x), and its type t x is the image of the atomic type of A in 21 under \- 
Two vertices x an d x' are adjacent in G just if x U X IS an injective function. 
This ensures that adjacent nodes are labelled with consistent types, i.e. that G 
is indeed a tabloid. 

Let T be the undirected unraveling of G, and ir : nodes(T) — > nodes(G) the 
natural projection. Then (T,v) = {T,w) whenever 7r(w) = tt(w). From Claim[B] 
and the guarded bisimulation invariance of /zGF it follows that v and w have 
the same label in T v whenever n(v) = tt(w). Hence, it make sense to define 
G v as having the same underlying graph as G with each x £ nodes(G) labelled 
exactly as any and all nodes in tt~ 1 (x)- Then T v is isomorphic to the undirected 
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unravelling of G v . By Theorem^ A v accepts G v iff it accepts T v iff 2l(T) |= (p. 
Thus, to conclude, it suffices to prove the following. 

Claim 8. 21 ~ g 2l(T) 

Proof. For each v 6 nodes(T), ir(v) is an injection \v ■ A v —> K v from a 
guarded subset A v of 21 to the set K v of constant names in the label of v. Let 
7t, : K v — > 2l(T) map each c € K v to [u, c]. Then j v ox v is a partial isomorphism 
between guarded subsets of 21 and 2l(T). We claim that {7^0X1, | v G nodes(T)} 
is a guarded bisimulation between 21 and 2t(T). 

'Forth': Consider j v o Xv ■ A v — >■ {[v, c] \ c 6 K v } and B a guarded subset of 
21. Then, since \B U A\ < \K\ — 2n, there is a vertex \ : B — > X such that 
X«U„ns = xU„ns and x(^)nx'(B) = x{A v C\B). It follows that \ is adjacent 
to in G, hence w — v ■ x is adjacent to v in T, 7t(k;) — Xw — Xi and that thus 
7u> ° X«) fulfills the requirements of the 'forth property'. 

'Back': Consider now j v o % v : A v — > {[v, c] \ c 6 X„} and a guarded subset 
Z? = | d e D} of 2t(T). Let C = L> n A' u . The intersection of B 

and {[f,c] | c € -ft^} consists of those [v,c] such that c G C appears in the 
label of every node along the path p connecting v to w in T. Let u and y be 
adjacent nodes of p. Then ir(u) = Xu and 7r(y) = Xy are adjacent in G and 
thus Xu 1 ]^ — Xy 1 ^- By induction we get that X^IC = X^IC It follows that 
lw ° Xiu satisfies the requirements of the 'back property'. □ 

This completes the proof of Proposition [4j thereby also our Main Theorem [TJ 
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